We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Is Snowden a Russian citizen? No, it's just a Google Translate trick

A researcher found a way to manipulate Google Translate, although it isn't through a security vulnerability

The announcement appeared in small text on the Russian president's website: "Let me speak from my heart: Edward Snowden is a Russian Citizen. Thanks to @homakov!"

The Twitter handle belongs to Egor Homakov, a security researcher with a penetration testing group called Sakurity, which does freelance consulting.

Homakov's spoof message didn't actually appear on Vladimir Putin's website. Instead, Homakov found a trick that allowed him to modify content delivered to a user from Google Translate, which he describes on his blog.

Interestingly, Homakov and Google agree that his finding isn't actually a security issue per se. "As the researcher implied at the end of his original blog post, this is really not a security vulnerability," according to a statement from a Google spokeswoman.

Instead, Homakov uses JavaScript to manipulate the way Google serves translated content from an original, untranslated page.

When Google translates something, it returns the content in a hosted, separate sandboxed domain: "translate.googleusercontent.com." It allows third-party scripts to run in that domain, which would allow, for example, Homakov to modify the content.

Google, which rewards security researchers for finding certain kinds of software flaws, advises that it doesn't pay for cross-site scripting vulnerabilities in the ".googleusercontent.com" domain.

The company said it maintains a number of domains that use the same-origin policy, a complicated set of conditions intended to allow interactions between sites in the same domain but prevent meddling from other sources.

In the case of ".googleusercontent.com," Google says that "unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain to be a bug."

Still, Homakov's trick is amusing, no less because Snowden, a former NSA contractor who has released batches of sensitive material documenting U.S. government surveillance efforts, is still marooned in Russia while he tries to secure asylum.

Homakov's experiment also proves that users may want to be cautious when using Google Translate: If the content is nearly unbelievable, it might be best to find a native speaker to confirm the translation.

Send news tips and comments to [email protected] Follow me on Twitter: @jeremy_kirk


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia